[Bug]: Sandbox enabled by default on update breaks all exec for existing single-user setups

[fwends]

Bug type

Regression / breaking change without migration path

Summary

After updating from a pre-sandbox version to 2026.4.1, a Docker sandbox container is automatically created and enabled for existing agents with no prior sandbox configuration. This silently breaks all exec tool calls — commands are blocked with "allowlist miss" and approval popups appear that cannot be dismissed or disabled.

The result is a complete loss of exec functionality for existing setups. There is no warning during startup, no migration guide, and no clear way to opt out. A working setup is broken with no path to recovery visible to the user.

Impact

• All cron-triggered exec commands fail silently
• Approval popups appear on every exec call and cannot be dismissed permanently
• tools.exec.ask = "off" is ignored while sandbox is active
• tools.exec.host = "gateway" is ignored while sandbox container exists
• exec-approvals.json defaults (ask: "off", security: "none") are ignored
• Per-agent tools.exec.ask = "off" is ignored
• The only fix is to manually destroy the Docker container (docker rm -f openclaw-sbx-agent-main-*) — this is not documented anywhere

Time lost

Over 1 hour diagnosing this for a single-user local gateway setup that was fully functional before the update. None of the documented config options (ask, security, host) had any effect while the sandbox container existed.

Steps to reproduce

1. Have a working single-user local gateway setup with agents using exec (Python scripts, cron jobs)
2. Update to 2026.4.1 (pulls sandbox-related commits)
3. Gateway starts normally — no warnings about sandbox activation
4. Agent attempts any exec command
5. Approval popup appears. Clicking "Always allow" has no persistent effect.
6. Setting tools.exec.ask = "off" globally and per-agent has no effect
7. All cron exec jobs fail with "allowlist miss"

Fix required

• Sandbox must not be enabled by default for agents with no sandbox config
• OR: startup must warn clearly that a sandbox container was created and how to disable it
• OR: tools.exec.host = "gateway" must bypass the sandbox container entirely
• openclaw doctor --fix should detect and offer to remove orphaned sandbox containers
• Migration guide needed for users updating from pre-sandbox versions

Environment

• Version: 2026.4.1
• Platform: macOS, LaunchAgent gateway
• No Docker sandbox config in any agent before update
• Single-user operator setup

[SonicBotMan]

We run multiple cron jobs in production (heartbeat every 5min, hourly bounty scans, daily asset publishing) and can confirm cron behavior varies under load.

Observations:

• Under normal load, 5-minute crons execute within ±1 minute tolerance
• Under heavy load (concurrent subagents + memory search), drift can reach 5-10 minutes
• Gateway restart causes cron state reset, compounding drift

Our workaround: we use system crontab for critical timing-sensitive tasks and OpenClaw cron for best-effort periodic checks.

[fwends]

I'm really happy for you that your cron works but these updates have completely broken a normal setup that was working perfectly. How does your telling us that your system works help us?

We are constantly having to do workarounds for crons and all sorts of things because every single day something is breaking because it's so badly coded. We are faced with constant problems all the time to try and keep this thing up. It's absolutely awful to work with and everybody's got some nasty workaround

[steipete]

Closing this as implemented after Codex review.

Current main already implements the requested behavior: implicit tools.exec.host=auto now resolves to gateway when no sandbox runtime is active, while explicit host=sandbox still fails closed. The issue timeline also links a follow-up PR targeting this exact report, and the latest shipped release tag v2026.4.23 contains the fixed logic and regression coverage.

What I checked:

• Runtime host selection now depends on actual sandbox runtime state: resolveExecSandboxAvailability derives availability from resolveSandboxRuntimeStatus(...).sandboxed, and resolveExecDefaults feeds that into exec target resolution so auto only becomes sandbox when a runtime is actually active. (src/agents/exec-defaults.ts:56, 11cffb230013)
• auto falls back to gateway when sandbox is unavailable: resolveExecTarget sets effectiveHost to gateway when the resolved target is auto and sandboxAvailable is false. (src/agents/bash-tools.exec-runtime.ts:235, 11cffb230013)
• Regression tests cover the reported scenario: Agent exec tests now assert that implicit auto exec runs successfully on gateway without a sandbox runtime, and that explicit host=sandbox still throws a sandbox-runtime-required error. (src/agents/pi-tools-agent-config.exec.test.ts:72, 11cffb230013)
• Path-level exec tests match the same contract: bash-tools.exec.path.test.ts separately verifies that implicit auto host routes to gateway when sandbox runtime is unavailable, and explicit sandbox host fails closed. (src/agents/bash-tools.exec.path.test.ts:311, 11cffb230013)
• Docs now describe sandbox-off auto routing explicitly: The security and troubleshooting docs state that sandboxing is opt-in, host=auto resolves to sandbox only when a sandbox runtime is active, and otherwise resolves to gateway, with tools.exec.host=gateway as the explicit host-routing override. Public docs: docs/help/troubleshooting.md. (docs/help/troubleshooting.md:311, 11cffb230013)
• Issue timeline already points to the targeted fix PR: The provided issue timeline cross-references closed PR #67468, titled fix(exec): do not resolve auto exec host to sandbox when mode is off (fixes #58885), which directly matches this report.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 11cffb230013; fix evidence: release v2026.4.23, commit a9797214338b.